Exact quantum Fourier transforms and discrete 
logarithm algorithms 



Michele Mosca and Christof Zalka 

Department of Combinatorics and Optimization 
University of Waterloo, Waterloo, Ontario 
Canada N2L 3G1 

e-mail: mmoscaOiqc . ca and zalkaOiqc . ca 

February 1, 2008 



Abstract 

We show how the quantum fast Fourier transform (QFFT) can be 
made exact for arbitrary orders (first for large primes) . For most quantum 
algorithms only the quantum Fourier transform of order 2" is needed, 
and this can be done exactly. Kitaev showed how to approximate the 
Fourier transform for any order. Here we show how his construction can be 
made exact by using the technique known as "amplitude amplification". 
Although unlikely to be of any practical use, this construction e.g. allows 
to make Shor's discrete logarithm quantum algorithm exact. Thus we 
have the first example of an exact non black box fast quantum algorithm, 
thereby giving more evidence that "quantum" need not be probabilistic. 

We also show that in a certain sense the family of circuits for the exact 
QFFT is uniform. Namely the parameters of the gates can be calculated 
efficiently. 

1 Introduction 



The "quantum fast Fourier transformation" (QFFT) plays an important role 
in quantum algorithms. It is a unitary transformation that applies the discrete 
Fourier transform to the amplitudes of a quantum register. The standard version 
has order 2™ and is applied to a quantum register consisting of n qubits. It was 
found by Coppersmith [5] (see also Shor JT]). The construction is essentially 
identical to the standard classical fast Fourier transform (FFT). Like the FFT 
it generalises to orders which are a power of a small prime and more generally 
to smooth numbers, thus integers who have only small prime factors (see Cleve 
PD). These constructions implement the desired unitary transformation exactly. 

In contrast, so far no exact (and efficient) constructions for arbitrary or- 
ders have been known. For his "Abelian stabiliser problem" Kitaev |U] gave an 
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approximate implementation based on "eigenvalue estimation" . Here we show 
how this eigenvalue estimation step can be made exact using "amplitude am- 
plification". Amplitude amplification 1 is a slight generalisation of Grover's 
algorithm, allowing to apply the square root speed up to any heuristic algo- 
rithm. Brassard and H0yer [2] used a variant of it to make Simon's algorithm 
exact. 

Finally we point out that an exact quantum Fourier transform for large 
prime orders can be used to make Shor's discrete logarithm algorithm exact. 

2 The exact QFFT p for large prime p 

The quantum Fourier transform of order (or "modulus" ) N acts on "computa- 
tional" basis states \x) as follows: 

1 N ^ 

QFFTV : \x) - \y x ) = -J2e 2 ^\y). 

y=o 

For arbitrary, in particular non-smooth N, Kitaev .9 proposes to do this in two 
steps (second part of section 5 in UJ, see also the review by Jozsa 

\x) -> I*,*,) - |*.> 

where, as usual, registers that "appear out of nowhere" are understood to have 
been initialised in the standard state |0). Similarly in the second step, one of 
the registers is reset to this state and can thus again be left away. 

The first step constructs the Fourier state \^ x ) for a given x. This can be 
done exactly by first obtaining the "uniform amplitude" superposition |^o) of 
the first p basis states of a register and then "rephasing" it: 

\x,0) - |s,* ) -» \x,0> x ). (1) 

As pointed out by Kitaev, |^/ ) can be obtained from |0) by a sequence of SO (2) 
rotations applied to each qubit in order from high to low significance, whereby 
the rotation angle has to be controlled by the previously touched qubit s. The 
rephasing then simply consists of a rephasing on each qubit, proportional to x 
and the place value of the qubit. 

The second step of Kitaev's construction is the reverse of 

|* s ,0) -> \V x ,x). 

This is done through a technique known as "eigenvalue estimation" (see also 
the article by Cleve et al. 0), which details how to find the eigenvalue of an 
unknown eigenstate of some unitary U. We will describe this in more detail 
later. Here we only need to note that although this operation is not exact, it 
leaves the eigenstate |* a ) unchanged. Thus it does: 

\x',9x .X' / (2) 

x' 
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where on the right hand side the superposition should be dominated by the term 
with x' — x, such that a measurement would yield x with good probability. We 
also included some (unwanted) "garbage" g x . x > which may be produced along 
with the eigenvalue. 

2.1 Using amplitude amplification 

We now use "amplitude amplification" [T] to eliminate all but the desired term 
\x, g x ,x)- We give here a quick review of this generalisation of Grover's algorithm. 
We are given a unitary operator A which, when applied to the initial state |0), 
gives an output state which has some component in a "good" subspace. Thus 
the probability \P goo d ^4 1 0) | 2 is not too small, where P goo d is the projector onto 
the good subspace. The amplitude of the good component can be increased 
through the following procedure 

[ A(l + (e* - lJlOXODA" 1 (1 + (e* - l)P good ) f A\0) 

where the sequence of operations in the brackets is repeated T times, depending 
on the "success probability" of the "algorithm" A alone. As in Grover's algo- 
rithm, the fastest increase is achieved when both phases are chosen <fi = ip = tt. 
The algorithm can be analysed by noting that the state always remains in a sub- 
space spanned by the state we are seeking P goo d A\Q) and by (1 — P goo d) A\Q). 
Usually an integer number of iterations will not lead exactly to the desired state 
and so we need to chose different (non-optimal) phases, either in all steps or 
only in the last one or two. In our case we will leave the phases at their stan- 
dard settings, but will modify A so that its success probability is reduced to 1/4 
where a single iteration leads exactly to the desired state. 

The operator A will be given by eq. where the state |\& x ) will have to be 
added as a "spectator" that is not changed. 

2.1.1 "Recognising" the correct solution 

Apart from the "heuristic" algorithm A, amplitude amplification requires a way 
to "recognise" the good states. More precisely, we need a way to apply the phase 
e lv to the good subspace and leave its orthogonal complement unchanged. So 
how can we check whether a number x' is the right eigenvalue of l^), thus 
whether x' = xl This can be done because the eigenstate \^ x ) is still available 
exactly. Thus given a state of the form \^ X )^2 X , c x _ x i\x' , g x _ x i), we can check 
the second register against the first one. To do this we apply the reverse of the 
steps in eq. Qto these two registers, thus: 

\x',V x ) -> -► \x',Q x - x ,) 

where in the second step we only act on the second register. The state |Wo) is 
mapped back to |0), while for x 1 ^ x we get some state \& x -x') orthogonal to 
|0). We can now apply the phase e tv to the |0) state and undo the previous 
operations. 
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2.2 "Uniformising" the success probability 



One obstacle to using amplitude amplification to make algorithms exact is that 
the success probability of the "heuristic" algorithm A must be known. But this 
probability may depend on the (unknown) instance of the problem. In our case 
the success probability of eigenvalue estimation on indeed does depend on 
x. We can fix this problem by modifying A such that the new success probability 
will become instance independent and equal to the average over all instances 
for the original A. To do this uniformisation we pick an integer r uniformly 
at random from {0,1,... p — 1} and replace |\& x ) with |^ x + r ), which is just 
a rephasing. We keep a record of r and subtract it again from the result of 
eigenvalue estimation. To do this with a unitary A we will need an additional 
register for r, but this is no problem, as we have already included the possibility 
that eigenvalue estimation (eq. |2J) also generates some unwanted garbage g x<x '- 
So now exact amplitude amplification will allow us to do 



To get rid of the "garbage" we can do the usual trick of copying the wanted 
result x into an additional "save" register and then undoing the previous steps. 
In total this will lead to six applications of A for an exact QFFT. 

In summary, the construction of an exact QFFT relies on making eigenvalue 
estimation (on Fourier states \^ x )) exact. The essential observations are that 
eigenvalue estimation leaves the eigenstate \%! x ) exactly unchanged and so it 
can be used for the checking stage of amplitude amplification. Furthermore we 
used that the success probability of estimating x from \^ x ) can rather easily be 
"uniformised" across all x = ... p — 1. 

3 An exact discrete logarithm algorithm 

An exact algorithm for the QFFT leads in a straightforward manner to an exact 
algorithm for the discrete logarithm algorithm of the same order. This was also 
observed for finite fields of prime order by Brassard and H0yer [2] (Theorem 
12). For smooth orders (only small prime factors) the problem can easily be 
solved classically. Here we give a quick review for the case when the order is a 
large prime (see also [T2], section 2.2.3). 

In a discrete logarithm problem we are given an clement a which generates 
a cyclic group of some finite order, here a prime. Thus a p — e. Then another 
element (3 of the group is given and we want to know which power of a it is; that 
is, the integer a for which (3 — a a . This is also written as a = log Q /3. In the 
quantum solution (see Shor we prepare two registers, each in a uniform 

amplitude superposition of p basis states: 



l*x,0) 




p—1 p— 1 
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Then we compute the function a x (3 V in an additional register and measure it. 
This will leave the two registers in a superposition of the form J2 y \xo — a • y, y) 
where all arithmetic operations are understood to be modulo p, xq is random 
and y runs over 0. . .p— 1. By Fourier transforming each register with a QFFTp 
we get a similar state but without the offset xq, namely an equally weighted 
superposition of all states of the form \x, a ■ x) with x = 0. . .p — 1. A measure- 
ment will now allow to compute a in all cases except when x = 0. Thus we have 
the known and instance independent success probability of 1 — 1 /p, which allows 
to easily make the algorithm exact by using (exact) amplitude amplification. 



3.1 Alternatively: directly uniformising dlog 

Actually one can directly make the success probability of the dlog algorithm 
instance independent. Thus one uses the usual algorithm with a QFFT21, but 
replaces (3 with j3-a r where r is again chosen uniformly at random from . . .p—1. 
We have noted this approach a while ago, but were not able to show that the 
(now averaged) success probability can be computed efficiently, thus it is not 
clear whether the circuit for a given p can be computed efficiently. 



4 Eigenvalue estimation 

In our case we want to estimate the eigenvalue of |^ x ) under the (unitary) 
cyclic shift operator U which acts on computational basis states as: \x) — > 
\(x + 1) modp). For eigenvalue estimation we need to do large powers of U, 
which in this case is easy. Namely we first prepare an auxiliary n-qubit register 
in a uniform amplitude superposition of all its N — 2™ basis states. (We will 
choose N to be larger than p, see below.) Then we do: 

N—i N—i , N-i 

where we used that the eigenvalue of |^ x ) under U is e ~ 27Tlx /p. Note that the 
operation we have to do is simply a modular addition on computational basis 
states, thus \a, b) — > \a, (a + b) mod p). After a Fourier transform of size 2™ on 
the auxiliary register, the probability of measuring y would be given by: 

p y = f 2 (y ~ xN/p) where f(z)~ 



Nsm(nz/N) 

We illustrate the function f(z) with N — > 00 in figure Q It is peaked around 
z = so that after measuring some y we would guess for the number we want 
to find x Ki y ■ p/N . The choice with the highest probability of obtaining the 
correct x would be to simply round y ■ p/N to the closest integer. Partially 
to simplify notation, here we round up to the next integer, thus our guess is 
x> = III ' p/AH ■ (For us the loss of some success probability does not matter, at 
least not as long as it is at least 1/4.) 
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Figure 1: The function sln ( 7rx ) _ 



Because we have N > p, it is clear that if we measure y = [x ■ N/p\ we will 
calculate the correct x. For a given x, smaller y may also lead to the correct x, 
but here we would like to eliminate this contribution to the success probability, 
as it will lead to a simpler expression. Given a y it is possible to eliminate 
these cases by also checking y > \y ■ p/N] ■ N/p — 1 and "throwing away" y's 
which do not satisfy this. (Note that in order to obtain an algorithm A with 
a certain success probability we can think as if this were a non-reversible algo- 
rithm including measurements and classical computations. Such an algorithm 
can then easily be turned into a unitary A which, besides the intended answer, 
also produces some "garbage".) So now the success probability p x for correctly 
getting x from |\J> X ) is: 

r2 ,i , t\t / \ *2/ xN modp 
p x = f([xN/p\ - xN/p) = f 2 ( 

To get the instance independent success probability of the uniformised algo- 
rithm, we average this over all x = . . .p — 1: 

1 ,2t xN modp 1 ^-4 o 

v = - V r = - V r(fc/p) 

^ x=0 ^ ^ fc=0 

where we have used that AT and p are coprime and so for each x there is exactly 
one k. 

4.1 Efficiently calculating the success probability 

For large p this sum of course is well approximated by the corresponding integral, 
which (for large A^) is approximately 0.4514. Here we show that for each p and 
N, the success probability can be approximated efficiently in the sense that the 
computation time is polynomial in the number of (e.g. decimal) digits we want 
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to compute. The following method achieves this in a simple way, although it is 
probably not the best one could do. Note that f 2 (z) can be expanded in a (fast 
converging) power series in x and 1/N. (To compute p to d digits we will only 
use polynomially many terms in d.) Now each power z m of z can be summed 
separately, giving: 

-, p-i i -, m+l 

F k=0 F y i=0 

where for each power m the coefficients A m ^ can be calculated (in various ways) 
in time polynomial in m. (A straightforward way is to simply solve the equations 
resulting from S m (p+ 1) — S m (p) = p m for the A m ^. E.g. for m = 1 we get the 
familiar formula J2k=a k = P(P ~~ 

4.2 Adjusting the success probability 

Once we have calculated the success probability p (to arbitrary precision) for a 
given p, we can use this to modify the algorithm A so that it will succeed exactly 
with probability 1/4, so that just one iteration of amplitude amplification leads 
to an exact algorithm. One way to do this is to add a qubit prepared in state 
cos(a)|0) + sin(a)|l) with p sin 2 (a) = \ and additionally require for success that 
this qubit be in state |1). The preparation of this qubit will now require the one 
"strange" gate in our algorithm, although its rotation angle a can be computed 
efficiently in the above sense. 

5 Further remarks and observations 
5.1 Generalisation to arbitrary orders 

The construction of the exact QFFT g easily generalises to arbitrary orders q. 
Above we only needed the primality of the order for (efficiently) computing the 
success probability. And there we only needed that N = 2" and q should be 
coprime. Things can easily be adjusted for the case when q is even. Either we 
can modify (a bit) the calculation of the success probability or we can consider 
the QFFT g as a tensor product of a QFFT with odd order and a standard one 
with order a power of 2. Similarly, of course, we can generalise to QFFT's over 
finite Abelian groups, not just cyclic ones. 

Also the discrete logarithm algorithm can be generalised to arbitrary orders 
q. Given the exact QFFT g , the algorithm will be successful whenever the first 
number in the measured pair (x, xa mod q) is coprime to q. So the success 
probability is 4>{q)/q where 4>(q) is the Euler totient function. If we know the 
factorisation of q, this is easily calculated and so amplitude amplification can 
be used to make the algorithm exact. 
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5.1.1 Factorisation of the order of the dlog not known 



In the following we give a more involved solution for the case when the factori- 
sation of the order q is not known. It consists of O(logg) runs of (variants of) 
the dlog quantum circuit. What is important is, that these variants still only 
use the special gates calculated (efficiently) at the beginning from q. 

In the first run it is enough, as before, to use amplitude amplification only to 
get rid of the case x — 0. We now measure a pair (x, xa mod q). If x is coprime 
to q we can directly calculate a and are done. If gcd(x, q) = d > 1, we still get 
some information about a, namely a 1 = a mod q/d, and of course the factor d 
of q. Now we have a = a' + a" • q/d, where, in a standard way, a" can be found 
by solving the dlog problem with a = ofi/ d and (3 = (3a~ a . This dlog problem 
has smaller order, as a d = e, but we want to reuse the original quantum circuit 
for order q. If in this original circuit we simply replace a, f3 with a, (3, we get 
(after the two QFFT's): 



(Note that this is essentially the same as J^k m °d d}.) We want to avoid 

only the case k = 0, but in order not to introduce new "special" gates, we 
prefer to eliminate 3/4 of all states, such that one step of standard amplitude 
amplification will lead to an exact solution. We can e.g. only retain the last 
quarter of the values k = . . .d— 1, although, if d is not divisible by 4, we will 
have to "partially tag" some states. (This can be done by appending a qubit in 
state c|0) + s|l) with \s\ 2 = 1/4, 1/2 or 3/4.) 

Now, like in the first step, we will either directly get a", or will gain partial 
information on a", together with a factor of d. This can be iterated (at most 
0(log<7) times) till the order of the dlog problem is small. 

Note that in our construction we have taken care not to introduce new 
"special" gates during the computation. This means that really the O(logg) 
quantum runs can be put together into one quantum circuit whose gates can be 
computed from q alone (without knowing its factorisation). 

5.2 No exact factorisation algorithm 

Let us also note that it is not clear how to make Shor's integer factorisation 
algorithm exact with the techniques used here. Thus this is a challenge that 
remains. We note that Mosca ^01 shows how to make factorisation exact in a 
slightly generalised model of exact quantum computation. 

5.3 Review of other work on quantum Fourier transforms 

It is interesting to note that after Kitaev [§] a more efficient and probably also 
more natural way to approximate the QFFT for arbitrary orders has been given 
by Hallgren and Hales |7]. In particular their construction uses fewer qubits, 
but it seems not to lend itself to the techniques used here to make it exact. 




\k-q/d, a"k-q/d mod q) 
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Also note the simplified "semiclassical" version of the standard QFFT by 
Griffiths and Niu 0. For practical implementations of Shor's algorithms this 
would probably be the method of choice. 
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